1. Managed Incident Lightweight Exchange (MILE) Overview and Participation Kathleen Moriarty Global Lead Security Architect EMC Corporate CTO Office

2. Agenda  IETF’s Managed Incident Lightweight Exchange (MILE) –Overview and Scope –Charter & documents –Data formats –Transport  How can I help? –End users, developers, implementers, vendors, etc.

3. MILE: Solving Interoperable Exchanges  Share, consume, process, and amend indicator and incident data –Enable easy processing and use by ▪Incident Management Systems, ▪Security Information and Event Management systems (SIEM), ▪intrusion detection systems, etc. –Intelligence feeds for situational awareness –Enable risk-based prioritization for remediation and defensive actions –Intended as a wire format  Provide not only a common format, but also an architecture and protocol exchange –Enabling interoperable peer-to-peer, repository access, and federated exchanges with publish/subscribe capabilities Data

4. Scope of Data Formats Classes of DataDescription 1Cyber Intelligence Analysis Describes the characteristics of the threat 2Cyber Incident Reporting Describes a particular cyber event 3Cyber Event Mitigation Describes a proactive or reactive mitigation 4Cyber Information Sharing Describes the meta-data necessary to share information with a third party  Questions to refine the scope and updates to IODEF will be covered on the mile@ietf.org mailing list over the next 2 monthsmile@ietf.org –The data tracker is in use to track issues, comments and feedback is requested on scope and issues. Please post them to the mailing list. Your contributions will shape IODEF v2. –http://tools.ietf.org/wg/mile/trac/report/1http://tools.ietf.org/wg/mile/trac/report/1 –IODEF v2 is planned for publication January 2014! Chart presented by Roman Danyliw at IETF-87

5. Overview  Updated Charter: –http://datatracker.ietf.org/wg/mile/charter/http://datatracker.ietf.org/wg/mile/charter/  Current list of documents:  http://datatracker.ietf.org/wg/mile/ http://datatracker.ietf.org/wg/mile/ –RFC5070-bis –IODEF Enumeration Reference Format –Structured Cybersecurity Information (SCI) –IODEF Guidance –RESTful indicator exchange using IODEF/RID

6. IODEF Data Model Supports Enterprise, CSIRT, and Service Provider Operations Internationalization support –Various Encodings –Translations Data handling labels –Sensitivity (includes TLP) –Confidence Extensibility of attributes and adding new elements Predicate logic under review in IODEF Guidance document Commonly exchanged indicator data representation –e.g., IP addresses, ports, protocols, applications, etc. Context rich to support indicator and incident information –History and requested actions Exploit and vulnerability references –Enumeration draft Forensics information – is more needed? iodef:EventData iodef:Descriptioniodef:DetectTimeiodef:StartTimeiodef:EndTimeiodef:Contactiodef:Assessmentiodef:Methodiodef:Flowiodef:Expectationiodef:Recordiodef:EventDataiodef:AdditionalData IODEF:Incident iodef:IncidentIDiodef:AlternativeIDiodef:RelatedActivityiodef:DetectTimeiodef:StartTimeiodef:EndTimeiodef:ReportTimeiodef:Assessmentiodef:Methodiodef:Contactiodef:EventDataiodef:Historyiodef:AdditionalData

7. Structured Cybersecurity Information (SCI) and Enumeration Reference Format drafts Drafts are in final review stages and will be integrated into IODEF v2  SCI draft provides consistent extension points for stand- alone schemas to be embedded in IODEF as extensions. –Extension points include: ▪AttackPattern ▪Vulnerability ▪Weakness ▪Platform ▪EventReport ▪Verification ▪Remediation –Example schemas may include ▪MMDEF, XCCDF, ACEML, OVAL, etc.  Enumeration Reference Format draft provides a consistent format for parsing reference values, such as a vulnerability number, for example CVE

8. MILE Incident & Indicator Exchanges Communication and Searches from Providers & Trusted Entities Detection & Security Systems RID ROLIE Indicator System Incident Mgmt Partner, Peer, Service Provider Trusted Entity Analysis Center Sharing Group RFC6545 & RFC6546 Automate exchange ofwatch lists of indicators to address many use cases such as anti-phishing, DDoS, eCrime, etc.

9. How Can I help?  Participate in the IETF MILE working group: –Meetings are held three times a year ▪Meeting dates/times can be found at: http://www.ietf.orghttp://www.ietf.org ▪Participation can be in person or remote via MeetEcho ▪All decisions are finalized on the mailing list –Join MILE@ietf.org mailing listMILE@ietf.org ▪Participate in an existing thread ▪Start a thread on any questions based on review of a draft ▪Start a thread on work to be proposed related to MILE  Review implementation list: –http://siis.realmv6.org/implementations/http://siis.realmv6.org/implementations/  Contribute to open source code: –https://github.com/RSAIntelSharehttps://github.com/RSAIntelShare  Provide feedback on code and associated RFCs and drafts